There have been rumors of the NSA and others using those kinds of MITM attacks, but to have it confirmed that they're doing them against the likes of Google, Yahoo and Microsoft is a big deal -- and something I would imagine does not make any of those three companies particularly happy. As Ryan Gallagher notes in the Slate article linked above:

in some cases GCHQ and the NSA appear to have taken a more aggressive and controversial route—on at least one occasion bypassing the need to approach Google directly by performing a man-in-the-middle attack to impersonate Google security certificates. One document published by Fantastico, apparently taken from an NSA presentation that also contains some GCHQ slides, describes “how the attack was done” to apparently snoop on SSL traffic. The document illustrates with a diagram how one of the agencies appears to have hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format.

Documents from GCHQ’s “network exploitation” unit show that it operates a program called “FLYING PIG” that was started up in response to an increasing use of SSL encryption by email providers like Yahoo, Google, and Hotmail. The FLYING PIG system appears to allow it to identify information related to use of the anonymity browser Tor (it has the option to query “Tor events”) and also allows spies to collect information about specific SSL encryption certificates.

While some may not be surprised by this, it's yet more confirmation as to how far the NSA is going and how the tech companies aren't always "willing participants" in the NSA's efforts here. Of course, the real question now is how the NSA is impersonating the security certificates to make these attacks work.

from the fighting-the-fight dept

A week and a half ago, we noted that the intelligence community and the big internet companies (Google, Microsoft, Yahoo and Facebook) had failed to come to an agreement that allowed the tech companies to publish the details on how many requests FISA court orders they get and how many of their users this impacts. Given that, the various companies made it clear that this fight would continue in court. Today, they filed very similar briefs, which you can see below, claiming a few key things:

The various public reports from The Guardian, The Washington Post (and others, including Gawker) are flat out wrong concerning the nature of these companies' involvement with the NSA.

Because of the gag order on FISC orders under Section 702 of the FISA Amendments Act, the tech companies are barred from correcting the record, which is tremendously harmful to them and their business prospects.

They have a First Amendment right to give out information on how many such requests they receive, and how many users those requests have impacted.

Doing so would have no harmful impact on national security.

That seems to be the basic argument, and it's a strong one. The Google and Yahoo filings, in particular, don't hold back in terms of how ridiculous this whole situation is, in which they're accused of doing something and are barred due to a nebulous gag order from proving that they didn't actually do it. Some of the requests also note that the court's hearings over these challenges should also be held in public. As Google's filing notes:

Google further requests that the Court hold oral argument on this amended motion and that the argument be open to the public.. A public argument would be consistent with this Court's rules, which state that "a hearing in a non-adversarial matter must be ex-parte and conducted within the Court's secure facility," suggesting, by negative implication, that a hearing in an adversarial matter shall be open..... It is also required by the First Amendment, which generally protects a right of public access to judicial proceedings.

from the well-this-is-getting-interesting dept

It's been pretty obvious that the big telcos, AT&T and Verizon, have been working closely with the feds on all of the various surveillance operations. The big question, however, has been how closely the big tech companies have been involved -- with most of them issuing pretty strong denials, and some of the early reports of their involvement not standing up to much scrutiny. Late on Friday, reports came out that Google has actually been scrambling to encrypt the information that flows between its data centers to protect that particular attack vector from the feds:

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said Friday.

The move by Google is among the most concrete signs yet that recent revelations about the National Security Agency’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs.

Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information...

That doesn't exactly sound like a willing partner in all of this. Still, part of the problem is that without any real transparency as to what the NSA is getting from companies, there are plenty of people who simply won't trust statements like this. Furthermore, the fact that last week's leaks revealed that the NSA actively recruits employees within companies to sabotage their security, suddenly it seems like even if some companies have the best of intentions, they now need to be on the alert for moles from the government within their companies. This is, frankly, insane. It's the kind of thing that wasn't supposed to happen in the US.

Microsoft said it had "significant concerns" about reports that the National Security Agency and its British counterpart, GCHQ, had succeeded in cracking most of the codes that protect the privacy of internet users. Yahoo said it feared "substantial potential for abuse".

All of these responses still feel a lot weaker than they need to be, even recognizing that there may be gag orders involved. As we've said before, the potential downside for the US tech industry is huge, and they need to be doing more to stand up to the NSA, and that includes fighting back against these efforts and doing everything they can to reveal what they've been asked to do over the years.

from the taxpayer-money dept

The latest Ed Snowden leak from the Guardian shows that after the FISA court had ruled that aspects of the NSA's data collection program were unconstitutional, the NSA had to work with tech companies to change their technology to avoid capturing some of the information they weren't allowed to capture, and, as a result the NSA paid millions to those tech companies via its Special Source Operations. To be honest, this doesn't seem like a huge bombshell in terms of revelations. It's long been known that the government pays companies for law enforcement assistance/surveillance (e.g. wiretaps) -- and as long as that surveillance is legal, that makes sense and is reasonable. The fact that this cost millions of dollars, however, suggests that it's a pretty big program.

Either way, while many of the Snowden leaks have been a pretty big deal, this one seems like nothing new. It's never been a secret that tech companies were required to reveal certain information under court orders, or that the government pays the companies for the cost. The only thing here is that the companies had to change their systems to make sure that the NSA's collection effort was "in line" with what the FISA Court deemed to be Constitutional. If anything, that makes a lot of sense, as we should want the government to have to cover the costs of making sure that their surveillance efforts are Constitutional. Many of the leaks so far have been a big deal, but this one doesn't seem all that interesting.

from the seems-a-bit-extreme dept

For a few years now, we've been following a rather troubling legal fight between people in Ecuador and Chevron -- the oil giant that has been in a long-term legal battle with people in Ecuador over some of its actions in that country. A few years ago, we wrote about how Chevron was ordering a documentary filmmaker to turn over cut footage, claiming that it might exonerate the company (the filmmaker tried to hold it back, claiming it was protected under journalist shield rules). However, last fall, we noted something perhaps even more troubling. Chevron had issued subpoenas seeking various email info from Google, Yahoo and Microsoft going back years. As we noted at the time, they weren't seeking the content of the email, but the were seeking what many more people are now familiar with as "metadata." But, metadata can be quite revealing.

When we wrote about this case a year ago, it was under the context of one person, Kevin Heller, whose data was sought, and him successfully fighting back (with some help from the ACLU) getting Chevron to drop the request for his info. But, as for everyone else's info? Mother Jones alerts us to the news that a judge in NY recently said it was okay for Chevron to get all that metadata, in some cases going back nine years.

...a federal court granted Chevron access to nine years of email metadata—which includes names, time stamps, and detailed location data and login info, but not content—belonging to activists, lawyers, and journalists who criticized the company for drilling in Ecuador and leaving behind a trail of toxic sludge and leaky pipelines. Since 1993, when the litigation began, Chevron has lost multiple appeals and has been ordered to pay plaintiffs from native communities about $19 billion to cover the cost of environmental damage. Chevron alleges that it is the victim of a mass extortion conspiracy, which is why the company is asking Google, Yahoo, and Microsoft, which owns Hotmail, to cough up the email data. When Lewis Kaplan, a federal judge in New York, granted the Microsoft subpoena last month, he ruled it didn't violate the First Amendment because Americans weren't among the people targeted.

Leaving aside the fact that the court thinks it's okay to do this even if it's just "non-Americans" who have their privacy violated here, Mother Jones points out that this claim that it only targeted non-Americans isn't, in fact, true. Pesky details.

Now Mother Jones has learned that the targeted accounts do include Americans—a revelation that calls the validity of the subpoena into question. The First Amendment protects the right to speak anonymously, and in cases involving Americans, courts have often quashed subpoenas seeking to discover the identities and locations of anonymous internet users. Earlier this year, a different federal judge quashed Chevron's attempts to seize documents from Amazon Watch, one of the company's most vocal critics. That judge said the subpoena was a violation of the group's First Amendment rights. In this case, though, that same protection has not been extended to activists, journalists, and lawyers' email metadata.

The Electronic Frontier Foundation (EFF) represents 40 of the targeted users—some of whom are members of the legal teams who represented the plaintiffs—and Nate Cardozo, an attorney for EFF, says that of the three targeted Hotmail users, at least one is American. Cardozo says that of the Yahoo and Gmail users, "many" are American.

This seems like a pretty big problem, given the rationale of the judge initially. Beyond that, just the basic chilling effects from finding out that a giant company could get access like this to so much metadata on a large list of its critics is fairly incredible. As the article notes, while subpoenas on people who aren't actually parties to a lawsuit are "routine," they're not supposed to be mass fishing expeditions, which they appear to be in this case.

And, of course, even the whole "well they're not Americans so the First Amendment doesn't apply" thing is highly questionable -- since many of the accounts are anonymous internet users, and the First Amendment does protect online anonymity and there's no way for Chevron or the judge to know if the anonymous users are Americans or not.

from the look-how-furrowed-my-brow-is,-dammit! dept

"I'm going to try to regulate [insert concept or technology here] because I really have no idea how it works," said no politician ever. "Bad things are happening and we're going to do something about it!" said too many government officials to count.

UK Prime Minister David Cameron is at it again, fretting about child porn and saying grumbly things about holding search engines responsible for the actions of others. This is one of Cameron's favorite hobby horses: porn on the internet, both legal and otherwise. He's pushed for mandatory porn filtering on every new computer and insisted any business offering open wi-fi block access to the nasty stuff.

Child porn is the new focus, thanks to the recent high profile trial (and conviction) of Mark Bridger for the kidnapping and killing of a 5-year-old girl. Bridger's computer showed he had viewed pictures of child sexual abuse shortly before the kidnapping.

David Cameron will tell internet companies including Google they have a "moral duty" to do more to tackle child abuse images found by using their websites.

In a major speech on Monday he will call for search engines to block any results being displayed for a blacklist of terms compiled by the Child Exploitation and Online Protection Centre (Ceop).

Strange. I would have thought the "moral duty" lay with those creating and viewing the exploitative material, not the inadvertent go-between whose job it is to index web content. Complying with a blacklist seems like a good idea, but there are two problems with that idea: determined people will get around the blacklist and blacklists tend to inadvertently block legitimate searches.

Why these search engines need to comply with the blacklist in Britain is a mystery, considering every major UK ISP already filters the web using this list, according to the head of the CEOP.

Jim Gamble, chief executive of the Child Exploitation and Online Protection Centre (CEOP), said the blacklist currently used to filter the vast majority of UK internet connections had been a "fabulous success".

At that point (2009), only small "boutique" ISPs had yet to adopt CEOP's filtering and the Home Office estimated roughly 95% of internet users were covered. But Cameron insists that more needs to be done, even as ISPs voluntarily comply with most government recommendations -- like "splash pages" that warn users they are attempting to view illegal material.

[T]he prime minister will call on firms to go further, with splash screens warning of consequences "such as losing their job, their family, even access to their children" as a result of viewing the content.

Everything already in place just isn't good enough. Apparently, it all needs to be bigger and bolder and subject to brand new laws created in the climate of panic and paranoia that usually follows high profile criminal activity. Cameron won't be satisfied until he tames the Wild West.

"I'm concerned as a politician and as a parent about this issue, and I think all of us have been a bit guilty of saying: well it's the internet, it's lawless, there's nothing you can do about it.

"And that's wrong. I mean just because it's the internet doesn't mean there shouldn't be laws and rules, and also responsible behaviour."

But, when Cameron says "responsibility," he means it in the governmental sense, which has nothing to do with personal responsibility and everything to do with the government acting as a national conscience and finding someone to hold responsible for the child porn problem. It won't be child pornographers or their audience, however.

"There is this problem ... that some people are putting simply appalling terms into the internet in order to find illegal images of child abuse.

[W]e need to have very, very strong conversations with those companies about saying no, you shouldn't provide results for some terms that are so depraved and disgusting...and that, I think, there's going to be a big argument there, and if we don't get what we need we'll have to look at legislation."

Do it or we'll make you do it.

"So it's about companies wanting to act responsibly. If you think about it, there's really a triangle here. There are the people uploading the images. We've got to go after them. There are the people looking at the images. We've got to go after them. But there is also in this triangle the companies that are enabling it to happen, and they do need to do more to help us with this."

Hi, I'm a seach engine. I index the web and bring you the results you ask for. I don't create child porn, nor do I consume child porn, but please, hold me responsible for the actions of others. The legal team at Google, Bing or any other search engine is always easier to locate than a child pornographer. It's the path of least resistance and taking on "tech giants" on "behalf" of the people makes government officials feel big. Win-win.

Cameron wants the search engines to return no results in response to CEOP's blacklisted terms. It seems like such a little thing to ask, and Cameron is certainly pitching it that way. They just need to "do more to help us." But what happens when law enforcement, intelligence agencies or the government itself decides other search terms are a problem, perhaps coming from an angle of "combating terrorism" or "preventing hate crime?" Almost everyone agrees those are "bad," but do they really want their search results censored and filtered and sorted according to secret blacklists? Probably not, but it likely won't matter. Agreeing to this allows the government to get a foot in the door.

On top of the collateral damage, there's the fact that filtering search engine results is going to make a lot of headlines but do very little to curb the trafficking of child pornography. Jim Gamble of CEOP feels we've already maxed out the effectiveness of web and search filters -- something he pointed out back in 2009.

At the frontline, web filtering is now viewed as a peripheral issue. Gamble agreed with the charities that filtering is useful, but added it was ineffective against "hardcore predators" who swap material over peer to peer networks and for whom "the internet has moved on".

"I believe filtering is good to avoid inadvertent access that will disturb or damage a young person, or deliberate novice access," Gamble said.

The pros don't bother with public web sites and search engines. They go P2P and circumvent every filter put into place by government intervention. Gamble realizes this and has already shifted the agency's focus to peer-to-peer networks. Unlike Cameron, Gamble doesn't waste time constructing stupid "triangles of responsibility" in order to pin the blame on the biggest, easiest target.

Gamble, a former intelligence chief in the Police Service of Northern Ireland, was however keen to head off accusations of an attack on peer to peer technology itself. "We can't blame technology - it's people," he said.

"Peer to peer is a valuable resource for the online community. Our focus is on child protection."

Maybe Cameron should spend a little time actually discussing his plans with CEOP before using the agency's name in vain in order to attack search engines for being search engines. CEOP seems to have a handle on the problem -- the real problem. It's too bad Cameron's more interested in publicly displaying how deeply concerned he is than making actual progress against child pornographers.

from the simple-questions dept

You may have heard the news today that a bunch of big tech companies -- including Google, Facebook, Microsoft, Apple, Twitter, Mozilla, Reddit, Tumblr and others -- have sent a strong letter to a variety of government officials, both in the administration and Congress, demanding greater transparency, and the ability to reveal more information about the government's various surveillance programs that compel the tech companies to participate:

We the undersigned are writing to urge greater transparency around national security-related requests by
the US government to Internet, telephone, and web-based service providers for information about their
users and subscribers.

First, the US government should ensure that those companies who are entrusted with the privacy and
security of their users’ data are allowed to regularly report statistics reflecting:

The number of government requests for information about their users made under specific legal
authorities such as Section 215 of the USA PATRIOT Act, Section 702 of the FISA Amendments
Act, the various National Security Letter (NSL) statutes, and others;

The number of individuals, accounts, or devices for which information was requested under each
authority; and

The number of requests under each authority that sought communications content, basic subscriber
information, and/or other information.

Second, the government should also augment the annual reporting that is already required by statute by
issuing its own regular “transparency report” providing the same information: the total number of requests
under specific authorities for specific types of data, and the number of individuals affected by each.

As an initial step, we request that the Department of Justice, on behalf of the relevant executive branch
agencies, agree that Internet, telephone, and web-based service providers may publish specific numbers
regarding government requests authorized under specific national security authorities, including the
Foreign Intelligence Surveillance Act (FISA) and the NSL statutes. We further urge Congress to pass
legislation requiring comprehensive transparency reporting by the federal government and clearly allowing
for transparency reporting by companies without requiring companies to first seek permission from the
government or the FISA Court.

This follows on a somewhat somewhat similar letter from Reps. Jim Sensenbrenner and Zoe Lofgren to Attorney General Holder and Director of National Intelligence Clapper, urging them "to authorize U.S. companies to release information regarding national security requests for user data."

Both letters point out that they're just looking for the ability to reveal specific numbers about orders received and user accounts impacted, but obviously not further information that might reveal the details of any investigations. Basically, they're asking for "just the metadata."

You may have spotted the irony, pointed out by Ashkan Soltani: Defenders of many of the government's surveillance programs have repeatedly trotted out the "just metadata" argument for why all of this surveillance is no problem, claiming that mere metadata doesn't reveal anything important. Yet, when it comes to their own metadata about their own surveillance programs, suddenly it will reveal all their secrets? (And I won't even get into the fact that only some of the surveillance programs are "just metadata").

So, which is it, feds? Is "just metadata" nothing too important, or does it reveal everything?

from the how-much-black-ink-will-they-use-up? dept

Last month, we noted that, while it was known that a tech company had fought back against a surveillance effort by the government and lost, it hadn't yet been revealed who that company was. The NY Times then revealed that it was Yahoo!, and it involved whether or not Yahoo! would be involved in PRISM. Yahoo tried to fight it, lost, and had to comply -- but the details (of course) remained entirely sealed. It appears that's changing. Yahoo! has been asking the government if it can reveal more info, and eventually the government (at the very least) allowed Yahoo to admit that it was the party in the case. After that, Yahoo asked FISC if the ruling could be declassified, and the court has now
told the government to review the ruling to figure out what can be declassified.

The Government shall conduct a declassification review of this Court's
Memorandum Opinion of April 25, 2008, and (2) the legal briefs submitted by the parties to this
Court in this matter. After such review, the Court anticipates publishing that Memorandum
Opinion in a form that redacts any properly classified information.

Of course, given the government's history of over-redacting, I fully expect a document with a ridiculous amount of black ink applied (invest now in black ink!). However, I do wonder if this is part of the various FISC judges realizing that there's been a fairly strong outcry against their secret court with a big rubber stamp.

from the the-details-matter dept

This has been rumored for ages, and the White House has certainly been pushing for this almost non-stop for years, but in a similar vein to the ISPs and the RIAA/MPAA coming to a "voluntary agreement" to implement a six strikes policy, the major online ad networks, led by the Internet Advertising Bureau (IAB) along with Google, Microsoft, Yahoo and AOL (and, yes, with the White House) have come to an agreement to stop their ads from appearing on "rogue" sites that are engaged in copyright infringement or selling counterfeit goods via a series of "best practices." The agreement says that the various ad networks who are participating will strive to keep their ads off of sites "that are principally dedicated to selling counterfeit goods or engaging in copyright piracy and have no substantial non-infringing uses."

I have some concerns about this, as I'll discuss below, but on the whole it appears that there's actually some good to come out of this. First off, it's worth noting that all of these guys already have terms of service that bar the use of their ads on sites that primarily engage in such things. While various tech industry haters still tend to believe otherwise, the tech industry has been pretty good at keeping their ads directly away from such sites for years. The ads that tend to get on those sites come from tiny third party ad networks that no one has heard of. In fact, some of the "evidence" against Megaupload was that from very early on, Google kicked it out of its ad program.

Another sign that this agreement probably isn't that bad: the MPAA has already put out a statement about how they hate it, saying that it's not enough. Chris Dodd specifically argues that nothing is going to be enough until everyone else does the copyright holders' job for them, and proactively polices the internet. The fact that no one but the copyright holder can know for certain if something is infringing is not even allowed to enter the discussion in the corrupt minds of the MPAA.

In this case, it appears that this new agreement involves something of a more formalized notice and (possible) takedown system. Copyright holders can submit a complaint to each ad network (individually, not to some central authority), and then the ad network gets to decide how it handles the notice -- but, under the best practices, they will strive to keep their ads from appearing on such sites. Since this is just a voluntary agreement, unlike, say, the DMCA, there's no automatic liability shifting in refusing to pull the ads -- and the agreement makes it clear that the best practices themselves do not establish liability, nor do they create a duty to proactively monitor (though, I could see how copyright holders might later try to raise that issue).

The good thing about this program is that it appears those who worked on it clearly recognize that certain copyright holders may be a little over eager in claiming certain sites are "pirate" sites when they might not be. So the program is designed to be more transparent and to include the clear ability for a site to appeal such a decision and get the ad networks to reconsider. In some ways, this is a step forward from the way it was before, in which Google or others might just kick you out of the program with almost no communication and absolutely no right of appeal. In fact, Google is somewhat infamous for its big white monolithic response to kicking people out of its ad network: basically just telling them "you've violated our terms" with no explanation, no way to find out more, and no way to appeal. Adding an actual appeals process is a step up.

That said, there are still two key concerns here. The first is that even with an appeals process and various safeguards, it's quite likely that legitimate sites that have significant non-infringing purposes will still get caught up in this. We've seen too many false takedowns, false attacks and the like for that not to happen. And even with an appeals process, losing your entire ad network for a period of time can completely sink a small business (and, any site making money on these kinds of ad networks is, by definition, a small business -- because none of these ad networks pay out very much to individual sites).

The second concern is a bigger one: which is that if you look at the history of some of the most important innovations that have helped the content industry grow, they almost always start out as what those content industries deemed "principally dedicated to infringing activity." In the early days of radio, cable TV, VCRs, DVRs, mp3 players, YouTube, etc... they were all attacked as being hotbeds of infringement. Yet, as they grew in popularity, business models developed that helped the content industry tremendously. As I've pointed out in the past, it was only four years after Jack Valenti declared that the VCR was the "Boston Strangler" of the movie business that the home video business surpassed the box office in revenue for Hollywood. Yet, if we allow a system where the copyright holders are able to simply starve these new businesses completely before they've had a chance to develop and mature, I worry that we miss the next VCR, the next DVR, the next mp3 player, the next YouTube -- and whatever tool that comes next that allows content creators to do an even better job connecting with fans, creating new works, distributing new works, promoting those works and eventually monetizing those works.

It's easy to simply try to label all new upstarts as "evil" and kill them off, but history has shown that's generally not a very good idea. The reason those upstarts are successful is not that they enable infringement, but rather that they enable something new and useful that people want and like. The real opportunity is in figuring out ways for content creators to use that to their advantage -- and I fear that programs like this make it easier to simply snuff them out too early.

That said, if there needs to be such a program, this one appears to be the least destructive approach. It doesn't create liability or a proactive duty to police the internet. It allows the networks to make the final call on what do with complaints. It gives the accused sites the ability to appeal whatever decisions are made. Either way, I would imagine that the MPAA and the RIAA already have their incredibly long lists of sites ready and are submitting them everywhere they can... and within a few weeks we'll watch them issue statements about how the new program isn't working and how more needs to be done.

from the it'll-hit-their-bottom-lines dept

We've already pointed out how some tech companies, including Yahoo!, Google and Twitter have fought back against overly intrusive attempts at government surveillance (though, they often lose), and there's been some discussion about how these companies are fighting to protect their users' privacy. There's a further reason why all of the tech industry should be speaking out against NSA surveillance. Beyond just being the right thing to do to protect your users' privacy, it's likely that it also improves their bottom line. We're already starting to see the fallout from the revelations of the NSA being able to scoop up data from various tech companies, and it's going to be harmful to their revenue.

Right after the initial NSA leaks came out, David Kirkpatrick quickly wrote about how the Obama administration appeared to be sacrificing the US internet industry in a weak attempt at trying to increase security (despite no evidence that it's actually done that). The global implications of the NSA spying aren't hard to figure out -- especially when looking at how many people around the globe use these services:

It's quite possible that Obama has undermined the effectiveness and attractiveness for political speech and protest of what have been the most potent communications tools for activism in history. Political and commercial opponents of the U.S. in every country as well as governments themselves will likely alert citizens to the potential that U.S. companies could pass their info back to US authorities. This will seriously conflict with these companies' aim to maintain their platforms as neutral global environments. It could dramatically slow their global growth.

[....] Do we really want to impair such powerful tools for spreading dialogue, political discourse, and U.S. values? Is it worthwhile to impair the extraordinary financial and commercial success of these great flagships for the American economy? Does Obama want Facebook et al just to be seen as tools of American power? That is certainly not the way the average user in Bolivia sees it. They see it as a tool of their own personal power, and they don't want governments interfering with that.

Further, he points out, this will likely drive users to foreign corporations, rather than American ones, as they strive to protect their privacy:

Don't believe there are not alternatives to the U.S. Net collossi. Companies worldwide are already relentlessly working on alternatives. The second largest search service worldwide is China's Baidu, with more than 8% of searches globally at the end of last year according to ComScore. Russia's Yandex is at close to 3%, more than Microsoft's own search product. In social networking, China's Tencent has had a stunning recent success with its WeChat product, which by some counts has over 450 million users worldwide, including many tens of millions outside China. Most major Chinese Internet companies have global ambitions.

Kirkpatrick was focusing more on the consumer side, and the importance of using these tools for open and free communication. But the same issues clearly impact the business side as well. As CFO.com recently, noted, companies are gong to be a lot less trusting of US-based cloud computing companies because of these leaks. Exposing the key info to governments is a real risk:

At the end of the day, if you have mission critical data and information in the possession of a third party service provider - Cloud or otherwise – the assumption that your provider will be in full control over their environments may be drawn unto doubt. As a CFO, it is prudent to consider your next steps very carefully to ensure that your intellectual property and trade secrets do not become the assets of others.

Given the suggestions that the US government has used this surveillance as a form of economic espionage, these fears seem quite well grounded. Foreign companies are now going to be a lot less interested in using the services of American companies.

And this isn't a theoretical problem either. Sweden just issued a ruling that bars the public sector from using Google's cloud services. Meanwhile, India is already telling companies that they need to setup local servers rather than make use of US servers if they want to do business in India.

This issue is important on a number of levels, but technology companies, who rely on a global audience, should be standing up and loudly protesting the NSA's broad surveillance, because it's going to hit their bottom lines hard. The administration and the NSA are directly making it difficult for US internet companies to be global enterprises, at a time when that's exactly what we need. Is it really worth sacrificing one of the few growing and dynamic industries that the US has these days, based on some vague and unproven claims that the government "needs" all of this info? It seems like a massive cost for almost no benefit.